Solved: ISE 1.2 Posture Update Issue

deepuvarghese1 · ‎04-28-2014

In ISE 1.2 below message is showing when we do a web posture update either manual or automatic.

"Remote address is not accessible. Please make sure update feed url, proxy address and proxy port are properly configured".

It was working fine for long time and all of a sudden it stopped working
and no changes have made on the network side.
https://www.cisco.com/web/secure/pmbu/posture-update.xml is working in the browser.

Few customers had reported the same. Boxes are installed with latest patch version 7.

We can upload the updates through offline mode.

mcrukshanfdo · ‎04-28-2014

I have experienced the same issue. Both the posture update feed URLs

1. https://www.cisco.com/web/secure/pmbu/posture-update.xml

2. https://www.perfigo.com/ise/posture-update.xml

give the same error, when the ISE boxes try to do the updates. But these URLs are accessible from outside.

A TCP dump taken from a box shows as "Certificate unkown Alert " (when it tries to update) for the received certificate from the other end. Then the ISE box sends a (FIN,ACK) and terminates the session.

The relevant pcap file is attached

View solution in original post

mcrukshanfdo · ‎04-28-2014

I have experienced the same issue. Both the posture update feed URLs

1. https://www.cisco.com/web/secure/pmbu/posture-update.xml

2. https://www.perfigo.com/ise/posture-update.xml

give the same error, when the ISE boxes try to do the updates. But these URLs are accessible from outside.

A TCP dump taken from a box shows as "Certificate unkown Alert " (when it tries to update) for the received certificate from the other end. Then the ISE box sends a (FIN,ACK) and terminates the session.

The relevant pcap file is attached

descalante2007 · ‎05-14-2014

Recently I had the same issue. The dump clearly indicates a problem with a certificate, so I was able to fix it re-enabling all the factory certificates in the Certificate Store.

First I tried re-enabling one by one, but as I got the same result I tried re-enabling all of them at the same time

Regards.

rtanner · ‎03-08-2016

I had the same issue on ISE 1.3 and 1.4 just now.

I resolved it by adding the Root CA (Geotrust) into the trusted certificates. I had to put the URL in my browser to determine who had issued the cert in the first place, then went to their website to get it, since it wasn't in the ISE to begin with.

vinmangal · ‎03-04-2018

Many Thanks Rtaner,

I had same problem from last 2 week and it wroked for me. Very different kind of certificate issue. I download certificate from Thawte and Hydrant IDE and imported into ISE trusted. Thanks a Ton for posting this solution. I had very difficult time becauseof this weird error.

vinmangal · ‎03-04-2018

Many Thanks to rtaner for posting this solution. I had this connectvity failing error to BlueCoat proxy and I tried to connect ISE with multiple Proxy IP and port and it kept failing.

emattison1 · ‎03-24-2018

This is still totally valid. I'm playing with 1.4 to go for the SISAS, and this has been bugging me. I downloaded the HydrantID SSL ICA G2 root cert, and that fixed it for me as well!

Thanks!

Antonio Macia · ‎03-09-2018

Hello,

I ran into this issue and I solved it by adding the "QuoVadis Root CA2"CA as trusted certificate.

Regards.

Ali · ‎03-25-2018

I also Ran into this Issue and found this below update.......

https://www.cisco.com/c/en/us/support/docs/field-notices/701/fn70122.html

*** Important Update on ISE Please read carefully ***

---------------------------------------------------------------------------

ISE connects to Cisco.com via SSL in order to obtain binary and data updates for Posture and BYOD. On February 14th the certificates used for the Posture Feed Server are being replaced. To prevent any issues with downloading Posture Feed Server updates, please go to software.cisco.com (LINK) and download the two new Root and Intermediate certificates and then import them into your Trusted Certificate store in ISE. When importing the certificates into ISE, please be sure to check the box to “Trust for authentication of Cisco Services”.

If the certificates are not updated before Feb 14^th then this change will prevent ISE from downloading new software packages directly from Cisco, but will not affect the configuration or operation of Posture or BYOD for end clients.

istafrica · ‎05-13-2018

Thank You.. this works like charm..Thumbs up

alihk1979 · ‎09-04-2018

Hello All , I am facing same problem with Ise 1.2 the problem is that I couldn't find "Trust for authentication of Cisco Services” to check on it, this option is missing from the certificate, any one has a solution for this.

Thank you

esen.emre · ‎11-15-2018

Thank You Ali,